__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Security Vulnerability in Sun Java System Access Manager
[Sun Alert ID: 102140]
February 2, 2006 18:00 GMT Number Q-114
[REVISED 23 Mar 2007]
______________________________________________________________________________
PROBLEM: A local user logged in as "root" on a system with Sun Java
System Access Manager may be able to use the "amadmin" CLI tool
to administer the Access Manager installation with the
privileges of the top-level administrator (regardless of the
credentials originally used to login to the Access Manager
server). Access Manager security is compromised.
PLATFORM: SPARC Platform
* Sun Java System Access Manager 7.0 (for Solaris 8, 9, 10)
without patch 120954-01
x86 Platform
* Sun Java System Access Manager 7.0 (for Solaris 9 and 10)
without patch 120955-01
LINUX Platform
* Sun Java System Access Manager 7.0 without patch 120956-01
Windows Platform
* Sun Java System Access Manager 7.0 without patch 124296-05
Notes: 1) Sun Java System Access Manager versions previous to
7.0 are not affected by this issue.
2) Sun Java System 7.0 is not supported on Solaris 8 for x86.
DAMAGE: A local user logged in as "root" on a system with Sun Java
System Access Manager may be able to use the "amadmin" CLI tool
to administer the Access Manager installation with the
privileges of the top-level administrator (regardless of the
credentials originally used to login to the Access Manager
server). Access Manager security is compromised.
SOLUTION: Upgrade to the appropriate versions.
______________________________________________________________________________
VULNERABILITY The risk is MEDIUM. A local user logged in as "root" on a
ASSESSMENT: system with Sun Java System Access Manager may be able to use
the "amadmin" CLI tool to administer the Access Manager
installation with the privileges of the top-level administrator
(regardless of the credentials originally used to login to the
Access Manager server). Access Manager security is compromised.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-114.shtml
ORIGINAL BULLETIN: Sun Alert ID: 102140
http://www.sunsolve.sun.com/search/document.do?assetkey=1
-26-102140-1&searchclause=%22category:security%22%2420
%22availability,%2420security%22%2420category:security
______________________________________________________________________________
REVISION HISTORY:
03/23/2007 - revised Q-114 to reflect changes Sun has made in Sun Alert ID: 102140
where they updated Contributing Factors and Resolution sections.
[***** Start Sun Alert ID: 102140 *****]
Sun(sm) Alert Notification
Sun Alert ID: 102140
Synopsis: Security Vulnerability in Sun Java System Access Manager May Allow
Administrator Access to Users Logged in As Root
Category: Security
Product: Sun Java System Access Manager 7 2005Q4
BugIDs: 6356879
Avoidance: Patch
State: Resolved
Date Released: 01-Feb-2006
Date Closed: 01-Feb-2006
Date Modified: 23-Mar-2007
1. Impact
A local user logged in as "root" on a system with Sun Java System Access Manager
may be able to use the "amadmin" CLI tool to administer the Access Manager
installation with the privileges of the top-level administrator (regardless of the
credentials originally used to login to the Acess Manager server). Access Manager
security is compromised.
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
* Sun Java System Access Manager 7.0 (for Solaris 8, 9 and 10) without patch 120954-01
x86 Platform
* Sun Java System Access Manager 7.0 (for Solaris 9 and 10) without patch 120955-01
LINUX Platform
* Sun Java System Access Manager 7.0 without patch 120956-01
Windows Platform
* Sun Java System Access Manager 7.0 without patch 124296-05
Notes:
Sun Java System Access Manager versions previous to 7.0 are not affected by this issue.
Sun Java System 7.0 is not supported on Solaris 8 for x86.
To determine if Sun Java System Access Manager is installed on a system, the following
command can be run:
% pkginfo -l SUNWamsvc
PKGINST: SUNWamsvc
NAME: Sun Java System Access Manager Services
CATEGORY: application
ARCH: all
VERSION: 7.0,REV=05.08.10.09.17
To determine the version of Sun Java System Access Manager on a system, the "amadmin"
command can be run from the directory in which Access Manager was installed, as in the
following example:
# /bin/amadmin --version
Sun Java System Access Manager 7 2005Q4
3. Symptoms
Sun Java System Access Manager may not function properly and/or product configuration
and user data may be stolen or compromised.
Solution Summary Top
4. Relief/Workaround
There is no workaround to this issue. Please see the Resolution section below.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
* Sun Java System Access Manager 7.0 (for Solaris 8, 9 and 10) with patch 120954-01 or later
x86 Platform
* Sun Java System Access Manager 7.0 (for Solaris 9 and 10) with patch 120955-01 or later
LINUX Platform
* Sun Java System Access Manager 7.0 with patch 120956-01 or later
Windows Platform
* Sun Java System Access Manager 7.0 without patch 124296-05
Change History
23-Mar-2007:
* Updated Contributing Factors and Resolution sections.
This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert
notification may contain information provided by third parties. The issues described in
this Sun Alert notification may or may not impact your system(s). Sun makes no
representations, warranties, or guarantees as to the information contained herein. ANY AND
ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY
DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF
YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification
contains Sun proprietary and confidential information. It is being provided to you pursuant
to the provisions of your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used
for the purposes contemplated by these agreements.
Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A.
All rights reserved.
[***** End Sun Alert ID: 102140 *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Sun Microsystems for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
Q-104: ClamAV Remote Code Execution
Q-105: Apple QuickTime Vulnerabilities
Q-106: kdelibs Buffer Overflow
Q-107: sudo Vulnerabilities
Q-108: Wine
Q-109: Security Vulnerabilities in Sun StorEdge Enterprise Backup Software (EBS)
Q-110: ImageMagick
Q-111: HP Tru64 UNIX Running DNS BIND
Q-112: Mozilla Security Update
Q-113: Firefox Security Update